cryptographyfandomcom-20200215-history
MQV
MQV (Menezes–Qu–Vanstone) is an authenticated protocol for key agreement based on the Diffie–Hellman scheme. Like other authenticated Diffie-Hellman schemes, MQV provides protection against an active attacker. The protocol can be modified to work in an arbitrary finite group, and, in particular, elliptic curve groups, where it is known as elliptic curve MQV (ECMQV). MQV was initially proposed by Menezes, Qu and Vanstone in 1995. It was modified with Law and Solinas in 1998. There are one-, two- and three-pass variants. MQV is incorporated in the public-key standard IEEE P1363. Some variants of MQV are claimed in patents assigned to Certicom http://www.certicom.com/index.php?action=ip,protocol. MQV has some weaknesses that were fixed by HMQV in 2005 http://eprint.iacr.org/2005/176; see http://eprint.iacr.org/2005/205, http://www.ams.org/notices/200708/tx070800972p.pdf, http://www.ams.org/notices/200711/tx071101454p.pdf for an alternative viewpoint. ECMQV has been dropped from the National Security Agency's Suite B set of cryptographic standards. Both MQV and HMQV have weaknesses, that are fixed in the FHMQV protocol (see http://eprint.iacr.org/2009/408) __TOC__ Description Alice has a key pair (A,a) with A'' her public key and ''a her private key and Bob has the key pair (B,b) with B'' his public key and ''b his private key. In the following \bar{R} has the following meaning. Let R = (x,y) be a point on an elliptic curve. Then \bar{R} = (x\, \bmod\, 2^L) + 2^L where L = \left \lceil \frac{\lfloor \log_{2} n \rfloor + 1}{2} \right \rceil and n'' is the order of the used generator point ''P. So \bar{R} are the first L'' bits of the x coordinate of ''R. Note: for the algorithm to be secure some checks have to be performed. See Hankerson et al. Correctness Bob calculates: K = h \cdot S_b (X + \bar{X}A) = h \cdot S_b (xP + \bar{X}aP) = h \cdot S_b (x + \bar{X}a)P = h \cdot S_b S_a P . Alice calculates: K = h \cdot S_a (Y + \bar{Y}B) = h \cdot S_a (yP + \bar{Y}bP) = h \cdot S_a (y + \bar{Y}b)P = h \cdot S_b S_a P . So the keys K are indeed the same with K = h \cdot S_b S_a P See also * Elliptic curve cryptography References * Burton S. Kaliski Jr., An unknown key-share attack on the MQV key agreement protocol. ACM Trans. Inf. Syst. Secur. 4(3): pp275–288 (2001) * Laurie Law, Alfred Menezes, Minghua Qu, Jerry Solinas, Scott A. Vanstone, An Efficient Protocol for Authenticated Key Agreement. Des. Codes Cryptography 28(2): pp119–134 (2003) * Peter J. Leadbitter, Nigel P. Smart: Analysis of the Insecurity of ECMQV with Partially Known Nonces. ISC 2003: pp240–251 * A. Menezes, M. Qu, and S. Vanstone, Some new key agreement protocols providing implicit authentication, Preproceedings of Workshops on Selected Areas in Cryptography (1995). * D. Hankerson, A. Menezes, and S.A. Vanstone, Guide to Elliptic Curve Cryptography, Springer-Verlag, 2004. External links * A Secure and Efficient Authenticated Diffie–Hellman Protocol by Sarr, Elbaz-Vincent, and Bajard * HMQV: A High-Performance Secure Diffie–Hellman Protocol by Hugo Krawczyk * Another look at HMQV * An Efficient Protocol for Authenticated Key Agreement * MQV and HMQV in IEEE P1363 (power point) Category:Public-key cryptography Category:Asymmetric-key cryptosystems simple:MQV